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1 DETAILED ACTION 

2 

3 Claims 30 -45 are pending. 

4 All objections and rejections not set forth below have been withdrawn. 
5 

6 



7 Specification 

8 

9 The specification is objected to as failing to provide proper antecedent basis for 

1 0 the claimed subject matter. See 37 CFR 1 .75(d)(1 ) and MPEP § 608.01 (o). Correction 

1 1 of the following is required: 

1 2 Newly added claims 30 - 45 comprise the following undisclosed recitations: 

1 3 "wherein examining the HTTP request for script constructs consists of examining 



1 4 only HTML elements where user input is introduced", "finding a script construct within a 

1 5 particular HTML element"; "further comprising encoding user input to render the script 

1 6 construct inert", "wherein the request includes a request for dynamic content in the form 

17 of an embedded link", and "examining only the request for dynamic content in the form 

1 8 of the embedded link and other HTML elements where user input is introduced". These 

19 recitations are not found by the examiner nor shown by the applicant to be supported 

20 within the applicant's original disclosure. For example, the applicant's original 

21 disclosure appears to show support for examining headers, queries, cookies, fields of 

22 an HTTP request, the request answered by an HTML rendered response. However, the 
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1 original disclosure reveals no support for the applicants recitations such as "examining 

2 only HTML elements where user input is introduced". For example, the applicant's 

3 original disclosure appears to show support for aborting the processing of a request or 

4 encoding a request, however, there is no support for an embodiment of "further 

5 comprising encoding user input to render the script construct inert". For example, the 

6 applicant's original disclosure appears to show support for a user clicking on an 

7 embedded link which generates a request to a web server, however, there is no support 

8 for recitations such as "wherein the request includes a request for dynamic content in 

9 the form of an embedded link", and "examining only the request for dynamic content in 

1 0 the form of the embedded link and other HTML elements where user input is 

1 1 introduced". 
12 

1 3 Drawings 

14 

15 The drawings are objected to under 37 CFR 1 .83(a). The drawings must show 

1 6 every feature of the invention specified in the claims. Therefore, the features of the 

1 7 newly added claims such as "wherein examining the HTTP request for script constructs 

1 8 consists of examining only HTML elements where user input is introduced", "finding a 

1 9 script construct within a particular HTML element"; "further comprising encoding user 

20 input to render the script construct inert", "wherein the request includes a request for 

21 dynamic content in the form of an embedded link", and "examining only the request for 

22 dynamic content in the form of the embedded link and other HTML elements where user 
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1 input is introduced", must be shown or the feature(s) canceled from the claim(s). The 

2 examiner notes that while the applicant has originally shown the features of an HTTP 

3 request, receiving an HTTP request, and examining the HTTP request, the newly added 

4 recitations such as the above are found lacking within the applicant's drawings. No new 

5 matter should be entered. 

6 Corrected drawing sheets in compliance with 37 CFR 1 .121(d) are required in reply to 

7 the Office action to avoid abandonment of the application. Any amended replacement 

8 drawing sheet should include all of the figures appearing on the immediate prior version 

9 of the sheet, even if only one figure is being amended. The figure or figure number of an 

10 amended drawing should not be labeled as "amended." If a drawing figure is to be 

1 1 canceled, the appropriate figure must be removed from the replacement sheet, and 

12 where necessary, the remaining figures must be renumbered and appropriate changes 

1 3 made to the brief description of the several views of the drawings for consistency. 

14 Additional replacement sheets may be necessary to show the renumbering of the 

15 remaining figures. Each drawing sheet submitted after the filing date of an application 

16 must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" 

17 pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the 

18 applicant will be notified and informed of any required corrective action in the next Office 

19 action. The objection to the drawings will not be held in abeyance. 
20 
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1 Claim Objections 

2 

3 Claim 38 is objected to under 37 CFR 1 .75(c), as being of improper dependent 

4 form for failing to further limit the subject matter of a previous claim. Applicant is 

5 required to cancel the claim(s), or amend the claim(s) to place the claim(s) in proper 

6 dependent form, or rewrite the claim(s) in independent form. Regarding this claim, the 

7 respective parent claim already recites what is essentially storing ("maintaining") a list 

8 on a server. Furthermore, the examiner presumes claim 38 to reference the "web 

9 server" as opposed to "the server". 



10 
11 

1 2 Claim Rejections - 35 USC §112 

13 

14 The following is a quotation of the first paragraph of 35 U.S.C. 112: 

1 5 The specification shall contain a written description of the invention, and of the manner and 

1 6 process of making and using it, in such full, clear, concise, and exact terms as to enable any 

1 7 person skilled in the art to which it pertains, or with which it is most nearly connected, to make 

1 8 and use the same and shall set forth the best mode contemplated by the inventor of carrying out 

1 9 his invention. 
20 

21 Claims 30 - 45 are rejected under 35 U.S.C. 112, first paragraph, as failing 



22 to comply with the written description requirement. The claim(s) contains subject 

23 matter which was not described in the specification in such a way as to reasonably 
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1 convey to one skilled in the relevant art that the inventor(s), at the time the application 

2 was filed, had possession of the claimed invention. Applicant has not pointed out where 

3 the new (or amended) claim is supported, nor does there appear to be a written 

4 description of the claim limitations in the application as filed (see above objection to the 

5 specification). 
6 

7 



8 The following is a quotation of the second paragraph of 35 U. S.C. 11 2: 

9 The specification shall conclude with one or more claims particularly pointing out and distinctly 
1 0 claiming the subject matter which the applicant regards as his invention. 

11 

1 2 Claims 30 - 45 are rejected under 35 U.S.C. 112, second paragraph, as 

13 being indefinite for failing to particularly point out and distinctly claim the subject 

14 matter which applicant regards as the invention. 

15 Specifically, claims 30 and 45, each comprise the recitation (or essentially 



1 6 similar), "examining only HTML elements where user input is introduced". The 

17 examiner notes that these recitations render the scope of the claimed invention 

18 indeterminate as it is unclear what should be interpreted as "only HTML elements where 

1 9 user input is introduced". While the newly added claims appear to further define HTML 

20 elements as variables, query strings, URLs, and headers (ex. claim 40), the examiner 

21 notes that such a definition is absent from the applicant's original disclosure and 

22 appears inconsistent with what one of ordinary skill in the art would regard to be parts of 
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1 an HTTP request (i.e. HTTP request elements). For the purpose of examination, the 

2 examiner presumes the applicant to recite "...HTTP request elements...". 

3 Regarding claim 32, the recitation "the event" lacks antecedent basis. For the 

4 purpose of examination, the examiner presumes the applicant to recite "an event". 

5 Regarding claim 37, the recitation "wherein the particular HTML element is an 

6 element size" appears nonsensical. The examiner notes that an element size appears 

7 to be a quality associated with an element, not an element itself. 

8 Regarding claim 40, "error the event" lacks antecedent basis. For the purpose of 

9 examination, the examiner presumes the applicant to recite "an error event". 
10 

1 1 Depending claims are rejected by virtue of dependency. 

12 

1 3 Claim Rejections - 35 USC § 103 

14 

1 5 The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

16 obviousness rejections set forth in this Office action: 

17 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

1 8 forth in section 102 of this title, if the differences between the subject matter sought to be patented and 

1 9 the prior art are such that the subject matter as a whole would have been obvious at the time the 

20 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

21 Patentability shall not be negatived by the manner in which the invention was made. 
22 

23 Claims 30 - 45 are rejected under 35 U.S.C. 103(a) as being unpatentable 

24 over Razmov et al. (Razmov), "Practical Automated Filter Generation to Explicitly 

25 Enforce Implicit Input Assumptions" in view of CERT Coordination Center 

26 (CERT), "Malicious HTML Tags Embedded in Client Web Requests" and 
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1 "Understanding Malicious Content Mitigation for Web Developers" in view of 

2 Fielding et al. (Fielding), RFC 2616. 

3 

4 Regarding claim 1 , Razmov discloses: 

5 receiving an HTTP request at the web server, the HTTP request having been 

6 sent by the user computer and requesting a response (Razmov; sect. 4,4:1 - herein 

7 prior art discloses sending and receiving HTTP requests, the request being a request 

8 for a response from a web server); 

9 Razmov discloses a system that utilizes useful and powerful "filters" for validating 



10 requests (i.e. client input) and thus providing security (Razmov, Abstract; sect. 3.2, par. 

1 1 2). The examiner notes that the Razmov does not appear to explicitly recite that the 

1 2 requested response from the web server is a response that includes text and HTML 

1 3 elements. 



14 Cert, however, discloses that such request validation is useful for protecting a 

15 system from malicious responses from a web server that comprise dynamically 

16 generated HTML pages (i.e. text and HTML elements) (Cert, pg. 1/8, "Overview"; pg. 

17 2/8, "Malicious code sent..."). 

1 8 It would have been obvious to one of ordinary skill in the art to recognize that the 

19 system of Razmov was utilized for protecting clients from malicious responses from a 

20 web server that that includes text and HTML elements. This would have been obvious 

21 because one of ordinary skill in the art would have been motivated to recognize the 
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1 teachings of Cert as explicitly directed to by Razmov (Razmov, sect. 3.2, par. 2; pg. 1 1 , 

2 col. 1, "[4]"). 

3 The combination enables: 

4 before dynamic rendering of the HTTP request, using a script module of the 

5 server computer to examine the HTTP request for script constructs (Razmov, fig. 2; 

6 sect. 3.2, par. 2; sect. 4) identified in an updateable list of markers of active content 

7 stored at the web server (Razmov, sect. 3.2, par. 2; Cert, pg. 2/9, "Identifying the 

8 Special Characters"; Razmov, sect. 4.1 , par. 1 , bullet 3; pg. 7, col. 2, par. 1 ; sect. 5.2, 

9 par. 3; ), wherein examining the HTTP request for script constructs consists of 

1 0 examining only HTML elements where user input is introduced (Razmov, sect. 3.1 , par. 

11 3 - herein the client request is decomposed into input elements wherein the input 

12 elements are examined); 

1 3 finding a script construct within a particular HTML element; in response to finding 

1 4 the script construct within the particular HTML element, generating an error and 

1 5 aborting processing of the HTTP request (Razmov, sect. 4; sect. 4.1 ); 

16 The combination enables for input validation and for notifying the user of an error 

17 when the input comprises a script construct. However, the examiner notes that the prior 

1 8 art does not appear to explicitly recite informing the user computer that the script 

1 9 construct has been found in the HTTP request and requesting that the user computer 

20 resubmit a request. 
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1 Fielding discloses that error messages for invalid HTTP requests should inform 

2 and be used such that a user can take corrective measures and resubmit a request 

3 (Fielding, pg. 65, sect. 10.4; pg. 65, sect. 10.4.1; pg. 67, sect. 10.4.10). 

4 It would have been obvious to one of ordinary skill in the art to incorporate the 

5 teachings of Fielding within the error messages of the prior art combination. This would 

6 have been obvious because one of ordinary skill in the art would have been motivated 

7 to allow a user to learn and take proactive measures to ensure the safety of his/her 

8 communications. For example, a user could be informed that his HI-IP request, which 

9 was submitted by clicking on a link, was invalid or malicious and would be encouraged 

10 to safely resubmit a subsequent request, such as by manually keying in the correct 

11 URL. 
12 

13 Regarding claims 31 - 37, the combination enables: 
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1 wherein the particular HTML element is an event; wherein the event is an onclick 

2 event; wherein the particular HTML element is an expression; wherein the particular 

3 HTML element is a value of a name/value pair; wherein the particular HTML element is 

4 a value of a tag attribute/value pair; wherein the particular HTML element is an anchor 

5 in an href attribute; wherein the particular HTML element is an element size (Razmov, 

6 sect. 4; sect. 4.1 , par.; Cert, pg. 1/9, "Problem Summary", par. 3; pg. 2/9, "Identifying the 

7 Special Characters" - herein the prior art enables for all input elements to be examined 

8 for script constructs). 
9 

1 0 Regarding claims 38 - 41 , the combination enables: 

1 1 maintaining, at the server, the updateable list of markers of active content; 

1 2 wherein receiving the HTTP request includes receiving and examining each of: a query 

1 3 string; a field of an HTTP form; and a header; wherein the HTML elements where user 

1 4 input is introduced include at least one of: form variables; query string variables; URLs 

1 5 with key value pairs; or headers; in response to finding the script construct within the 

1 6 particular HTML element, generating an error event and logging the error event for 

1 7 administrative review; wherein the error event is logged for administrative review 

18 (Razmov, fig. 3; sect. 4, 4.1 ; Cert, pg. 1/9, "Mitigation Summary" - herein the prior art 

19 enables for all input elements to be examined for script constructs and logging errors). 
20 

21 Regarding claim 43, the combination enables: 
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1 encoding user input to render the script construct inert (Cert, pg. 2/9, "Encoding 

2 Dynamic Output Elements"). 
3 

4 Regarding claims 44 and 45, they comprise essentially similar limitations, and 



5 they are rejected, at least, for the same reasons. Furthermore, the combination enables 

6 for client requests to result from malicious embedded links (Cert, pg. 2/8, "Malicious 

7 code sent..."). 
8 

9 
10 

1 1 Response to Arguments 

12 

13 Applicant's arguments with respect to claims 30 - 45 have been considered but 

14 are moot in view of the new ground(s) of rejection. 
15 

16 

1 7 Conclusion 

18 

19 Applicant's amendment necessitated the new ground(s) of rejection presented in 

20 this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

21 § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 

22 CFR 1.136(a). 
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1 A shortened statutory period for reply to this final action is set to expire THREE 

2 MONTHS from the mailing date of this action. In the event a first reply is filed within 

3 TWO MONTHS of the mailing date of this final action and the advisory action is not 

4 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

5 shortened statutory period will expire on the date the advisory action is mailed, and any 

6 extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 

7 the advisory action. In no event, however, will the statutory period for reply expire later 

8 than SIX MONTHS from the date of this final action. 

9 Any inquiry concerning this communication or earlier communications from the 

1 0 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

1 1 7965. The examiner can normally be reached on 8:30-5:00. 

1 2 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

13 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

14 number for the organization where this application or proceeding is assigned is (703) 

15 872-9306. 
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1 Information regarding the status of an application may be obtained from the 

2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-21 7-91 97 (toll-free). If you would like assistance from a 

8 USPTO Customer Service Representative or access to the automated information 

9 system, call 800-786-91 99 (IN USA OR CANADA) or 571 -272-1 000. 

10 

11 J.Williams 

12 AU:2137 
13 

14 /Emmanuel L. Moise/ 

15 Supervisory Patent Examiner, Art Unit 2137 
16 

17 



